Networks Training

You are here: Home / Cisco Switches / Traffic Filtering on Cisco Layer3 Switches using ACL and VACL

Traffic Filtering on Cisco Layer3 Switches using ACL and VACL

Written By

Cisco devices offer excellent features for traffic filtering. The classic Access Control List (ACL) is the core mechanism on Cisco network devices (routers, switches etc) which is mainly used for traffic filtering.

In this article we will examine a different type of ACL, called the Vlan Access Control List (VACL) which works a little different from the classic ACL.

In any network setup you need to have full control on traffic that enters and leaves your network. Most of the times we use filtering to permit or deny specific routed traffic from one Layer3 subnet to another Layer3 subnet.

Usually this type of filtering is controlled by ACLs which filter routed traffic (i.e traffic between different Layer3 networks).

What if we want to control traffic flow within the same VLAN (and hence, within the same Layer3 network)? This can be achieved using a VACL which can block or permit traffic flow within the same VLAN.

VACLs are supported on Cisco Layer3 switches. In this tutorial we will examine two simple filtering examples:

  1. Traffic filtering on a Layer3 switch using classic ACL for traffic control between layer3 networks.
  2. Traffic filtering on a Layer3 switch using Vlan ACL (VACL) for traffic control within the same layer3 network (vlan).

For more information about Layer3 switches and inter-vlan routing see this post HERE.

Let’s start with our first example:

1. Traffic Filtering Using classic ACL on Cisco Layer3 switch

As you have learned in CCNA you can filter traffic using an ACL that can be either:

  • Standard ACL: Contains only source IP address.
  • Extended ACL: Contains both source/destination IPs and ports.

*filtering can also be done using prefix-lists and route-maps but it’s not the objective of this tutorial.

In this first simple ACL filtering example, the requirement is to block telnet traffic from Host1 to Host2. To achieve this, we will use an extended ACL applied inbound on one of the Switch VLAN Interfaces (SVI) (vlan 10) of the Layer3 switch as shown below.

MORE READING:  The Most Important Cisco Show Commands You Must Know (Cheat Sheet)

layer 3 switch traffic filtering

First let’s verify connectivity between the hosts before applying the ACL:

H1#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

H1#telnet 172.16.0.1
Trying 172.16.0.1 … Open
User Access Verification
Username:

As shown above, we have connectivity between the two hosts. To demonstrate how you can use ACL filtering, I will block the telnet session from Host1 to Host2 using an ACL applied inbound on the SVI interface for VLAN10 of the switch.

NOTE:

An ACL applied inbound on the SVI interface (interface vlan 10) blocks traffic coming from hosts connected to VLAN10 ports towards the switch.

Configuration on the switch that will block telnet from Host1 to Host2.

  1. Configure ACL on the switch to block telnet

ip access-list extended Block_Telnet
deny tcp host 192.168.1.1 host 172.16.0.1 eq 23
   permit ip any any < —- permit all other traffic

  1. Apply the ACL to the SVI Interface of the switch

interface Vlan10 < —- This is the first SVI of the Layer3 switch for VLAN10 
description to Host1
ip address 192.168.1.2 255.255.255.0
ip access-group Block_Telnet in   < — Apply the ACL inbound to filter traffic that comes in the SVI from Host1

interface Vlan20 < —- This is the second SVI of the Layer3 switch for VLAN20 (no ACL on this one)
description to Host2
ip address 172.16.0.2 255.255.255.0

  1. Verification

H1#telnet 172.16.0.1
Trying 172.16.0.1 ….
% Connection timed out; remote host not responding

As you can see, telnet traffic has been blocked.

2. Traffic Filtering Using VACL on a Cisco Layer3 switch

An ACL is using source and/or destination IPs and ports to directly match packets that are to be filtered.

A VACL on the other hand is used in switched networks where you want to filter traffic within the VLAN. VACLs are similar in logic with route maps but instead of “route-map” entries they contain “access-map” entries.

Each “access-map” entry contains a match statement (using a normal ACL) and forward or drop actions accordingly.

You can have different matching statements for every access-map sequence and they will be processed in the order they are entered.

MORE READING:  How to Configure Cisco Router-on-a-stick with Switch

Just like a normal route map, there is an implicit deny-all statement at the end so make sure to create a final access-map entry which permits all other traffic.

cisco vlan access control list VACL

As shown on the diagram, we have two hosts in the same VLAN 100 (and same Layer3 subnet 192.168.1.0/24) connected on the same Layer3 switch. We want to restrict telnet access from Host1 to Host2.

First let’s verify connectivity between the two hosts without the VACL applied:

H1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

H1#telnet 192.168.1.2
Trying 192.168.1.2… Open
User Access Verification
Username:

Configuration of VACL on the switch to block telnet from Host1 to Host2

  1. Configure an ACL to match telnet traffic from Host1 to Host2.

SW1(config)#ip access-list extended Block_Telnet
SW1(config-ext-nacl)#permit tcp host 192.168.1.1 host 192.168.1.2 eq 23
SW1(config-ext-nacl)#exit

  1. Configure the Vlan Access Map aka VACL

SW1(config)#vlan access-map VACL_ Block_Telnet 10   < —- First VACL entry
SW1(config-access-map)#action drop   < —- sets the action to drop
SW1(config-access-map)#match ip address Block_Telnet < — matches the ACL configured above

SW1(config-access-map)#vlan access-map VACL_ Block_Telnet 20 < —- Second VACL entry
SW1(config-access-map)#action forward    < —- permits all other traffic
SW1(config-access-map)#exit

IMPORTANT

The configuration above might look confusing. The ACL in Step1 contains a “permit” statement for telnet traffic between Host1 to Host2. This DOES NOT mean that we permit telnet. The “permit” statement is used to match telnet traffic from Host1 to Host2 and then drop that traffic inside the VACL access-map with the “action drop” command (see Step2).

  1. Apply the VACL on the VLAN

SW1(config)#vlan filter VACL_ Block_Telnet vlan-list 100

Verification

H1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

H1#telnet 192.168.1.2
Trying 192.168.1.2…
% Connection timed out; remote host not responding

Telnet on another port works fine

H1#192.168.1.2 80
Trying 192.168.1.2, 80 … Open

VACL vs ACL

After configuring both VACL and ACL in this article you should have figured out already the differences between the two.

Let’s summarize them below:

  • VACL is a Layer 2 concept. It can be applied on a VLAN to restrict and control traffic flow on hosts within the same Layer 2 VLAN on intra-VLAN (i.e same subnet).
  • ACL on the other hand is a Layer 3 concept. An Access Control List (ACL) controls Layer 3 traffic between different VLANs/subnets (Layer 3 networks). So it works on inter-VLAN traffic.

DOWNLOAD ARTICLE AS PDF FILE

Related Posts

Filed Under: Cisco Switches

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. GERSON says

    Very nice example. But I think I could get the same result with the following ACL?

    access-list 100 deny ip 192.168.1.2 255.255.255.255 192.168.1.1 255.255.255.255 eq 23

    Thank you

  2. Harris Andrea says

    Hi Gerson,

    Do you mean to use the suggested access-list 100 as a matching ACL for the VACL access-map?

    If you mean to use a normal ACL directly for blocking traffic within the VLAN, it won’t work. You must use a VACL to block traffic within a VLAN.

    Harris

  3. Greg Garman says

    Looks great. I love to see functional examples like this to work from.
    Is there a way to take this one step further and prioritize specific traffic to do traffic shaping within the VLAN?

  4. Harris Andrea says

    Greg,

    I haven’t tested it with traffic prioritization. It depends on the switch model and what features it supports. On 6500 switches, VACL has more capabilities.

  5. cliff says

    great job!
    very succint and to the point.
    Thanks for mentioning the ‘confusing’ part where the ‘permit’ statement is actually used to identify the traffic, and not the define the action.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx